GitBook: [#3349] No subject

2022-08-04 10:55:21 +00:00 · 2022-08-04 10:55:21 +00:00 · b5f741ec8d
parent a8b371da13
commit b5f741ec8d
6 changed files with 23 additions and 2 deletions
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.md
@ -121,7 +121,28 @@ In PHP ≤ 5.3.22 and ≤ 5.4.12, the constructor of SoapClient was **vulnerable

 Checking the **dependencies** of the **project** you are trying to exploit you could find **new classes** that could be **abused to execute commands** creating a new object. In this case, **Imagick** was found to be useful for that purpose.

+### VID parser

+The VID parser allows to write arbitrary content in an arbitrary path inside the filesystem, which would allow an attacker to write a PHPshell in an accessible folder from the web page and get RCE.
+
+![](<../../../.gitbook/assets/image (157).png>)
+
+#### VID Parser + FIle Upload
+
+When a file is uploaded to PHP it's temporary stored in `/tmp/phpXXXXXX` . The VID parser of Imagick with the **msl** protocol allows to **specify wildcards in the file paths** (so the temporary uploaded file can be easily accessed) and **copy it to any arbitrary location**.\
+This is another way to get arbitrary file writing inside the filesystem:
+
+![](<../../../.gitbook/assets/image (159).png>)
+
+### PHP Crash + Brute Force
+
+The [**original writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) explained another way to get RCE by **uploading files with specific content** and making the **server crash before it deletes** that file and then **bruteforcing the name** of the temporary file until **Imagick executes arbitrary PHP code**.
+
+However, apparently the **crash trick** discovered only **worked in an old version of ImageMagick**.
+
+## References
+
+* [https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/)

 <details>

--- a/pentesting-web/cache-deception.md
+++ b/pentesting-web/cache-deception.md
@ -143,7 +143,7 @@ GitLab uses GCP buckets to store static content. **GCP Buckets** support the **h

 Ruby on Rails applications are often deployed alongside the Rack middleware. The Rack code below takes the value of the **`x-forwarded-scheme` value and uses it as the scheme of the request**.

-![](<../.gitbook/assets/image (159).png>)
+![](<../.gitbook/assets/image (159) (2).png>)

 Sending the `x-forwarded-scheme: http` header would result into a 301 redirect to the same location which will cause a DoS over that resource as in this example:

@ -151,7 +151,7 @@ Sending the `x-forwarded-scheme: http` header would result into a 301 redirect t

 The application might also support the header `X-forwarded-host` and redirect the user to that host, making possible to load javascripts files from the attacker server:

-![](<../.gitbook/assets/image (157).png>)
+![](<../.gitbook/assets/image (157) (2).png>)

 ### 403 and Storage Buckets